NetWorker: AUTHC fails with "unable to find valid certification path to requested target" in a round robin DC environment
요약: You are attempting to configure AD over LDAPS (SSL) authentication with NetWorker AUTHC. The external authentication configuration uses "round robin" to alias several domain controllers (DC) to one address. The CA certificate is imported from the round robin address into the NetWorker Runtime Environment's (NRE) cacerts keystore. An error occurs when creating the external authority resource: An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find a valid certification path to the requested target. ...
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
증상
- You are attempting to integrate AD over SSL (LDAPS) with NetWorker AUTHC.
- The process from KB NetWorker: How To configure LDAPS Authentication has been followed
NOTE: CA certificate from the AD server must be imported into the NetWorker JRE/NRE ../lib/sercurity/cacerts keystore in order to establish SSL communication between AUTHC and authentication server.
- The configuration fails with:
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
com.emc.brs.auth.common.exception.BRHttpErrorException: 400 . Server message: Failed to verify configuration CONFIG_NAME An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find valid certification path to requested target
- You are using an "alias" for the AD server which connects to different DCs in a round robin configuration.
원인
The Certificate Authority (CA) is linked to the round robin alias Fully Qualified Domain Name (FQDN). The configuration attempts to bind the Secure Sockets Layer (SSL) to a specific server.
NOTE: Round Robin is configured to load-balance requests in an environment. This configuration would use multiple Domain Name System (DNS) entries using the same FQDN but pointing to multiple different host IPs. This typically has its uses in web-based applications that may be processing requests from multiple requesters.
For example, 'ad-ldap.amer.lan' may be a DNS round robin alias that redirects to multiple DC hosts in the environment. Collecting the certificate with openssl while using the alias returns the certificate for one of the hosts 'dc1.amer.lan' available through round robin
[root@nsrserver: ~]# openssl s_client -showcerts -connect ad-ldap.amer.lan:636
Certificate chain
0 s:/CN=dc1.amer.lan
i:/DC=lan/DC=amer/CN=AUTH-CA01
-----BEGIN CERTIFICATE-----
**REMOVED**
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=dc1.amer.lan
issuer=/DC=lan/DC=amer/CN=AUTH-CA01
If the certificate is imported to the JRE/NRE cacerts keystore using the round robin alias 'ad-ldap.amer.lan,' the configuration does not match the 'dc1.amer.lan' or any other server in the round robin configuration due to the name mismatch.
해결
You can use a round robin alias in non-SSL Lightweight Directory Access Protocol (LDAP) connections. There is no requirement for SSL certificate to match the host alias of a specific address.
To use SSL authentication, the certificate alias must match the host that it is connecting to. Import the CA certificate for a specific DC, and configure NetWorker authentication to use only that server; optionally import all round robin certificates. If the original DC has issues, update the configuration to use another DC with an already imported CA certificate.
See: NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
추가 정보
해당 제품
NetWorker문서 속성
문서 번호: 000187608
문서 유형: Solution
마지막 수정 시간: 23 5월 2025
버전: 3
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.